I no longer have the computer in my shop. Had to let it leave after I took care of the infection.
It had a few things that were removed, but one that confused me was a lone .dat file in the ProgramData directory. Even after running MalwareBytes, etc., it still was spawning iexplore.exe processes. If I managed to get one to come forward, it was showing that it was going to 'clickpassive.org', etc.
I saved the file that I removed. I ran it through virustotal, only Norman and Sophos see anything, and their detections are, as expected anymore, not consistent with each other.
What gets me about it, however, is that nowhere in the registry or windows\tasks or windows\system32\tasks folder does the name of the file show up. I removed the file, and I was no longer getting iexplore.exe processes spawning.
I have uploaded it to my webserver, for examination by others here.
This is not a directly executable file, so I didn't bother to neuter it in any way.
My question is, where can this file be called, if not from the registry or scheduled tasks?